[c-nsp] help on NAT rate limiting

Rodney Dunn rodunn at cisco.com
Wed Dec 29 17:18:16 EST 2004 

This appears to be the difference.

When the RST/FIN comes in bofore the
translation is timed out more aggressively
even though the default timeout is still
24 hours.

I'm checking to see why this change was done.

So the default really didn't change for the global
translation timeout.

The aggressive timer when a close happens appears
to have for some reason.


I'll let you know what I figure out....


In 12.2(12) if I have overload and a TCP
session the timout looks like this after
the session is closed:

101_#sh ip nat trans ver
Pro Inside global      Inside local       Outside local      Outside global
tcp 3.3.3.1:11004      1.1.1.1:11004      3.3.3.2:23         3.3.3.2:23
    create 00:00:10, use 00:00:06, left 23:59:53, Map-Id(In): 1,
    flags: 
extended, use_count: 0

Close the session:

101_#sh ip nat trans ver
Pro Inside global      Inside local       Outside local      Outside global
tcp 3.3.3.1:11004      1.1.1.1:11004      3.3.3.2:23         3.3.3.2:23
    create 00:00:16, use 00:00:01, left 00:00:58, Map-Id(In): 1,
    flags: 
extended, timing-out, use_count: 0
101_#sh ver | incl IOS
IOS (tm) Solaris Software (UNIX-JS-M), Version 12.2(12), RELEASE SOFTWARE (fc1)
101_#

so it will age out in 1 minute.


Now on 12.3(12):

101_#sh ip nat trans ver
Pro Inside global      Inside local       Outside local      Outside global
tcp 3.3.3.1:11005      1.1.1.1:11005      3.3.3.2:23         3.3.3.2:23
    create 00:00:07, use 00:00:03, left 23:59:56, Map-Id(In): 1,
    flags: 
extended, use_count: 0
101_#!close the session
101_#sh ip nat trans ver
Pro Inside global      Inside local       Outside local      Outside global
tcp 3.3.3.1:11005      1.1.1.1:11005      3.3.3.2:23         3.3.3.2:23
    create 00:00:16, use 00:00:06, left 23:59:53, Map-Id(In): 1,
    flags: 
extended, use_count: 0

The translation will not time out for 24 hours even after the session
is closed.


On Wed, Dec 29, 2004 at 03:53:47PM -0500, Rodney Dunn wrote:
> I missed that in the long response.
> 
> Let me take a look and see what I
> can find.
> 
> Rodney
> 
> On Wed, Dec 29, 2004 at 01:06:17PM -0700, james edwards wrote:
> > 
> > ----- Original Message ----- 
> > From: "Rodney Dunn" <rodunn at cisco.com>
> > To: "Ted Mittelstaedt" <tedm at toybox.placo.com>
> > Cc: <cisco-nsp at puck.nether.net>
> > Sent: Wednesday, December 29, 2004 8:14 AM
> > Subject: Re: [c-nsp] help on NAT rate limiting
> > 
> > 
> > > 12.3 what.  I need the exact version so
> > > I can verify on some bugs that are listed.
> > > 
> > 
> > Looks like 12.3.12 to me:
> > 
> > The only other thing I can think might possibly be the explanation
> > here is that there's a bug in IOS 12.3 where the translator is
> > missing some of the tcp connection close commands.  But, this is
> > IOS 12.3.12 and I've had this same problem on earler 12.3 versions
> > on a 1600 series at a different customer - I switched back to 12.1
> > on that one.  I find it hard to believe such a glaring bug (which
> > basically makes nat useless in a default configuration) would not
> > have been found after twelve iterations of IOS!!!

More information about the cisco-nsp mailing list